Bug#1003153: [pkg-apparmor] Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run

Control: forwarded -1 https://gitlab.com/apparmor/apparmor/-/merge_requests/852 Craig Small (2022-02-17): > Not sure if Debian BTS handles forwards to MR, I've only ever done it for > issues. I don't know if the code that will automatically sync the upstream state here works, but apart of that th

Bug#1003153: [pkg-apparmor] Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run

On Sat, 12 Feb 2022 at 20:35, intrigeri wrote: > Would one of you be interested in proposing this upstream? > Done https://gitlab.com/apparmor/apparmor/-/merge_requests/852 Not sure if Debian BTS handles forwards to MR, I've only ever done it for issues. - Craig

Bug#1003153: [pkg-apparmor] Bug#1003153: Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run

Hi, Craig Small (2022-02-17): > On Sat, 12 Feb 2022 at 20:35, intrigeri wrote: > >> So it seems to me a good solution may be to allow being ptraced >> in the "apache2-common" abstraction. >> > That makes sense. :) >> Would one of you be interested in proposing this upstream? >> >> I'm not using

Bug#1003153: [pkg-apparmor] Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run

On Sat, 12 Feb 2022 at 20:35, intrigeri wrote: > So it seems to me a good solution may be to allow being ptraced > in the "apache2-common" abstraction. > That makes sense. > Would one of you be interested in proposing this upstream? > > I'm not using Apache2 myself so I'm not a good person to w

Bug#1003153: [pkg-apparmor] Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run

Control: tag -1 + upstream Hi, Craig Small (2022-01-05): > On 2022-01-05 at 12:24, debian-b...@cboltz.de wrote: >> (Nevertheless, the apache hats should allow to be ptraced. OK! >> I'll leave that to the maintainer of the Apache profile in Debian - >> and would love to see the fix upstreamed.)

Bug#1003153: [pkg-apparmor] Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run

On 2022-01-05 at 12:24, debian-b...@cboltz.de wrote: > so all profiles that include abstractions/base can be ptraced. > > However, what you see happens in the HANDLING_UNTRUSTED_INPUT hat (this > hat is used when Apache processes are idle) - and Apache hats typically > don't include abstractions/ba

Bug#1003153: [pkg-apparmor] Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run

Hello, Am Mittwoch, 5. Januar 2022, 03:31:40 CET schrieb Craig Small: > audit: type=1400 audit(1641349042.460:2559): apparmor="DENIED" > operation="ptrace" profile="apache2//HANDLING_UNTRUSTED_INPUT" > pid=2792993 comm="ss" requested_mask="readby" denied_mask="readby" > peer="/bin/ss" > > So ss i

Bug#1003153: /etc/apparmor.d/usr.sbin.apache2: Apache profile complains when ss -tnlp is run

Package: libapache2-mod-apparmor Version: 2.13.6-10 Severity: minor File: /etc/apparmor.d/usr.sbin.apache2 Hi AppArmor maintainers, I noticed if I (or a script) ran "ss -tnlp" then my logs would show a lot of lines like: audit: type=1400 audit(1641349042.460:2559): apparmor="DENIED" operation="